I've configured iptables to act as a stateful firewall, but instead of simply rejecting packets I'd like to waste a potenial hackers time by droping any packet that would otherwise be returned. Are my rules sufficient or have I somehow opened myself up to an attacker by trying to write these rules myself?
View 3 RepliesI have a caching dns and SNMP ( MRTG ) both on the same server how can I permit dns and snmp traffic in INPUT chain?? I have tried the following:
iptables -A INPUT -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 1024:65535 --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp --sport 161:162 --dport 1024:65535 -j ACCEPT
I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?
View 3 Replies View RelatedI don't know if FC15 has the iptable rules like the ones shown below by default or not but I wanted a second opinion about the safety they provide. Why is icmp accepted (INPUT rule 1) from/to all ip? and is it better to remove this rule? When the protocol is all (INPUT rule 2), does it mean from ip layer and above?? and is it required/safe to have this rule? The 3rd rule is to allow tcp-port 22 connections (ssh) to/from all ip. I think this is correctly set and required. The 4th rule in INPUT table rejects pings with the icmp-host-prohibited message; which I don't think is the best solution. Instead it can be set to silently drop icmp packets. Then, the FORWARD table uses reject instead of silent drop for forwarding icmp ping packets.
Code:
what do you think about the new rules and their order?
I'm trying to set up a firewall at the moment that allows access to my custom SSH port from only my friend's url (they have a static url but dynamic IP). I find iptables a bit of a nightmare and was hoping to use UFW for most of my day to day firewall maintenance and just make a few extra iptable rules to cover exceptional circumstances like this. Fortunately it seems UFW allows this with /etc/ufw/before.rules and /etc/ufw/after.rules. So at the moment I'm just trying to get the basic iptables rules right. As I say I'm not very good with iptables, does this look right?
Code:
## Drop Default SSH port access With Logging
iptables -N SSH_DEFAULT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_DEFAULT
[code].....
Explain the following iptable rules for me?
I understand 1 and 2, 1 creates the new syn_flood chain and 2 redirects all SYN requests to the new syn_flood chain.
I'm having trouble understanding 3 and 4. can someone explain to me in laymen terms the --limit 1/s and --limit-burst 3?
How would you remove all iptable rules and chains?
View 2 Replies View RelatedI am having a Xen server xend daemon is taking care of giving interface names like vif1.0 or vif0.2 to the connected guest operating systems on it.I can not save the current IPTABLE rules since upon reboot the xend daemon gives different names to virtual ethernet interfaces i.e. vif1.0 or vif3.0 or vif9.0 like that.I have some rules that I want to be active upon subsequent reboots and not all.Say for example an SSH to external server at port 8000 should forward the request to a machine on LAN.Which I have done by port forwarding from IPTABLES.So I need to save some rules.I was thinking to make a script which on reboot activates those rules.
I am not clear on where to do that.I came across internet and found /etc/network/if-up.d/I am not clear with this directory my question is if I make a scrip which has IPTABLE rules as I want and save it in above folder will it work. I am not clear with what is /etc/network/if-up.dfor.Suppose my logic is wrong then how should I go for it.Also I want to know does a protocol uses two port to make a connection.I have forgotten that thing,i.e if I run an SMTP or ssh then do they use port 22 and 23 both in case of ssh or 25 and 26 both for SMTP like that or just specifying the rules for one port will be enough.I tested these rules in a secure environment where i had disabled firewall and ssh forwarding on router worked well
Is there a way to check older iptable rules that were loaded? I accidentally overwrote my iptables and that has killed internet access to all computers in the intranet. I must have accidentally deleted some line in the iptable rules and cannot figure how to get it back to how it was. I am using Debian 5.05 by the way.
View 1 Replies View Relatedwrote a network emulator program in c programming. It can run for ubuntu terminal with good performance.But i have to make it for web-based user configuration. So i had setup apache web server and write this program in cgi script and try to execute this program from web page.This program must be run in root privilege($sudo -s) and add the iptables rules such as (#iptables -A OUTPUT -j QUEUE). So my question is how to add iptables rules in my cgi scripts? How to set the superuser(root privilege) permission to access my program through web server?
View 2 Replies View RelatedI have a Bluetooth connected to my desktop computer, it's on all the time, I use it to transfer files between PC and cell phone. I was searching Google about hacking Bluetooth and all I found was about hacking mobile devices. I don't care about my cell phone - it has nothing important, but I'm curious about my PC security. Can someone get access to my HDD via Bluetooth like it's possible via Wi-Fi?
View 5 Replies View RelatedI need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
Is it possible to block a subdomain or a one lower level directory URL access from other hosts or network ? I have a site running on my server and i want to block the particular directory under the domain, with the exception of loopback access? I mean the directory must be accessible from loopback/localhost.
[url] on port 10016(expect loopback)
[url] on port 10016 (expect loopback)
Code:
I have a server that is on a high port number, and people want it on port 80. For root exploit issues people say the server can not run as root. So to solve things I want to redirect port 80 to a high port number, say 12345 on the machine. This has been discussed all over the web, so I find I need to do this:
/sbin/iptables -t nat -A PREROUTING -p tcp -d 123.45.67.89 --dport 80 -j REDIRECT --to-ports 12345
/sbin/iptables-save > /etc/sysconfig/iptables
And I do this, an voila things work for the whole world. All machines in the world can see the server on port 80 on the machine.Except, on the machine itself. On the machine 123.45.67.89, I try to get to the server on 123.45.67.89:80, I get a can't connect error. On the machine if I try 123.45.67.89:12345 I can connect.What am I doing wrong here? I don't want localhost network really, I want the ip address and port, but I want the forwarding to work on the local machine. But it doesn't...
I see on my webserver some logs as follows Quote:
203.252.157.98 - :25:02 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @
[code]....
Quote:
-A RH-Firewall-1-INPUT -s 10.12.0.0/16 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
Ex- 10.12.0.0/16, 172.150.0.0/16, 192.168.20.0/24
How can we add multiple sources network address in the above INPUT chain?
I googled this question, no relevant results. I don't samba, ssh, or any P2P file sharing. Is udp neccesary for general web browsing/file downloading? What would be the best general ufw rules to set for above conditions and varying ip address? I know how to use the full ufw syntax in command line.
View 5 Replies View RelatedI have a set of iptables rules generated by Firestarter, and i'm in the process of trying to familiarise myself with iptables itself, but there's one particular rule which is confusing me, perhaps somebody could explain it to me
My INPUT chain reads as follows:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- cdns01.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- cdns01.plus.net anywhere
ACCEPT tcp -- cdns02.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
[Code]...
Given that the firewall is actually blocking packets, it can't be this simple, so what am I missing?
what do the following two commands do? Do they modify the iptables rules in any way?
sudo /sbin/iptables -L -n
sudo /sbin/ip6tables -L -n
my ufw rules have been loaded and active yet using iptraf i see tcp connections on ports that were never allowed by ufw. can anyone explain this too me does ufw just not work?
View 6 Replies View RelatedWhen I upgraded to 10.4LT I agreed to something that stopped snort, after days decided to just re-do with new snort version. Used bodhi.zazen's MySql instruction version (which is what I used in the past) Everything went pretty well except for figuring out that I needed to delete all the lib_sfdynamic_preprocessor_example?? files (I also deleted all the lib_sfdynamic_example?? files too just to be safe). Used my original Oinkmaster with updated rules version and downloaded the emerging threats too (as I had in the past) and snort won't run with some of the emerging threat rules because it's lookning for snortsam (fwsam). I read up and snortsam looks like a good idea (if I'm wrong somebody just let me know)
if this seems dumb, but I really don't understand, the snortsam directions are HORRIBLE, the snortsam src looks like a windows file when unpacked with all the .dll files(but they say for all OS's), it builds but you need to copy the binary to /usr/local/bin (what in ubuntu would be a binary?).
the snortsam-patch-2.8.tar.gz won't unpack and the Snort 2.8.6 patch is a file, not a package (have no clue where to put it or what to call it if I got the 2.8.tar.gz to unpack so I could build it)
on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock. SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid. Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened. As I'm completely new to SELinux - I'd like to get some help setting the Security Rules. PS: Should the rules be quite fine from the FC-Repo?
View 11 Replies View RelatedI am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following.
iptables -A FORWARD -t filter -o eth0 -m state
state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
state ESTABLISHED,RELATED -j ACCEPT
Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.
View 1 Replies View RelatedI am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
View 2 Replies View RelatedHow do you delete ufw rules which you didn't make?
I want to block the FTP ports (20 & 21) but even if I put in DENY rules, it appears that these rules are letting traffic through
Code:
9 400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
How do I delete these rules? I've tried.
Code:
sudo ufw delete allow 20
sudo ufw delete proto tcp from any to any 20
but I get "Could not delete non-existent rule".
Since I didn't make those rules I have no idea what OpenBSD's PF syntax (what ufw uses) is for them.
When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.
View 2 Replies View RelatedI need with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
# Delete all existing rules
[code]....
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
I put together the following filter set :
Code:
#!/bin/sh
#To understand this script, reference the No Starch Press Linux Firewalls Book.
MODPROBE=/sbin/modprobe
IPT=/sbin/iptables
IPTSV=/sbin/iptables-save
IPT6=/sbin/ip6tables
IPT6SV=/sbin/ip6tables-save
### flush / drop policy sets
echo "[+] Flushing existing rules with DEFAULT of DROP [+]"
echo "[+] IPv4 [+]"
$IPT -F
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "[+] IPv6 [+]"
$IPT6 -F
$IPT6 -F -t nat
$IPT6 -X
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP .....
###OUTPUT rules: LOG rule
$IPT -A OUTPUT -o ! lo -j LOG --log-prefix "DROPED OUTBOUND" --log-ip-options --log-tcp-options
I wanted to know how to allow certain applications through the outbound tables. For example, I wish to be able to use tools such as nmap,tracepath, and traceroute. However, I am not sure where to look to understand the ports to open. I was starting to think that maybe rather than ports to open it would need to be somehthing like tcp flags that would ned to be allowed. Any way, I have tried google and am still haing problems. I started wanting to use these tools due to getting ready for my network+ and security+ certs.